application of homomorphism to secure image sharing

AUTHOR QUERY FORM

Journal: OPTICS Please e-mail or fax your responses and any corrections to:E-mail: [email protected]: +1 619 699 6721

Article Number: 16275

Dear Author,

Any queries or remarks that have arisen during the processing of your manuscript are listed below and highlighted by flags inthe proof. Please check your proof carefully and mark all corrections at the appropriate place in the proof (e.g., by using on-screen annotation in the PDF file) or compile them in a separate list.

For correction or revision of any artwork, please consult http://www.elsevier.com/artworkinstructions.

Any queries or remarks that have arisen during the processing of your manuscript are listed below and highlighted by flags inthe proof. Click on the ‘Q’ link to go to the location in the proof.

Locationin article

Query / Remark: click on the Q link to goPlease insert your reply or correction at the corresponding line in the proof

Q1 Table 2 was not cited in the text. Please check that the citation suggested by the copyeditor is in theappropriate place, and correct if necessary.

Q2 Please supply the year of publication.

Thank you for your assistance.

Our reference: OPTICS 16275 P-authorquery-v8

of 1

mailto:[email protected]

http://www.elsevier.com/artworkinstructions

http://www.elsevier.com/artworkinstructions

1

2

345

6

78910111213141516171819202122

45

46

47

48

49

50

51

52

53

54

55

56

57

58

59

60

61

62

Optics Communications xxx (2011) xxx–xxx

OPTICS-16275; No of Pages 18

Contents lists available at ScienceDirect

Optics Communications

j ourna l homepage: www.e lsev ie r.com/ locate /optcom

F

Application of homomorphism to secure image sharing

Naveed Islam a, William Puech a,⁎, Khizar Hayat b, Robert Brouzet c

a LIRMM Laboratory, UMR CNRS, 5506, University of Montpellier II, 161 rue Ada, 34392 Montpellier, Franceb Department of Computer Science, COMSATS Institute of Information Technology, University Road, 22060 Abbottabad, Pakistanc I3M Laboratory, UMR CNRS 5149, University of Montpellier II, 34392 Montpellier, France
O
⁎ Corresponding author.E-mail addresses: [email protected] (N. Islam),

(W. Puech), [email protected] (K. Hayat), robert.b

0030-4018/$ – see front matter © 2011 Elsevier B.V. Aldoi:10.1016/j.optcom.2011.05.079

Please cite this article as: N. Islam, et al.,j.optcom.2011.05.079

Oa b s t r a c t
a r t i c l e i n f o
23

24

25

26

27

28

29

30

31

32

33

34

Article history:Received 5 November 2010Received in revised form 8 April 2011Accepted 30 May 2011Available online xxxx

Keywords:CryptosystemHomomorphismImage encryptionRSAPaillierSecurity

35

36

37

38

39

40

41
ECTED P
RIn this paper, we present a new approach for sharing images between l players by exploiting the additive andmultiplicative homomorphic properties of two well-known public key cryptosystems, i.e. RSA and Paillier.Contrary to the traditional schemes, the proposed approach employs secret sharing in a way that limits theinfluence of the dealer over the protocol and allows each player to participate with the help of his key-image.With the proposed approach, during the encryption step, each player encrypts his own key-image using thedealer's public key. The dealer encrypts the secret-to-be-shared image with the same public key and then, thel encrypted key-images plus the encrypted to-be shared image are multiplied homomorphically to getanother encrypted image. After this step, the dealer can safely get a scrambled image which corresponds tothe addition or multiplication of the l+1 original images (l key-images plus the secret image) because of theadditive homomorphic property of the Paillier algorithm or multiplicative homomorphic property of the RSAalgorithm. When the l players want to extract the secret image, they do not need to use keys and the dealerhas no role. Indeed, with our approach, to extract the secret image, the l players need only to subtract theirown key-image with no specific order from the scrambled image. Thus, the proposed approach provides anopportunity to use operators like multiplication on encrypted images for the development of a secure privacypreserving protocol in the image domain. We show that it is still possible to extract a visible version of thesecret image with only l-1 key-images (when one key-image is missing) or when the l key-images used for theextraction are different from the l original key-images due to a lossy compression for example. Experimentalresults and security analysis verify and prove that the proposed approach is secure from cryptographicviewpoint.

42

[email protected]@unimes.fr (R. Brouzet).

l rights reserved.

Application of homomorphism to secure im

© 2011 Elsevier B.V. All rights reserved.

4344
R
63

64

65

66

67

68

69

70

71

72

73

74

75

76

77

78

79

UNCO

R1. Introduction

With each passing day, digital communication is becoming increas-ingly vulnerable to malicious interventions or monitoring like hackingor eavesdropping. The security of sensitive visual data in applications,like safe storage, authentication, copyright protection, remote militaryimage communication or confidential video-conferencing, requires newstrategies for safe transmission over insecure channel. There are twocommon techniques used for the secure transmission of data, namelycryptography and steganography. The confidentiality can be ensuredmaking the message unreadable, with the help of secret keys, withcryptography [1] and with steganography by hiding the message insome innocent carrier signal [2]. Homomorphic cryptosystems are aspecial type of cryptosystems that preserves group operationsperformed on ciphertexts. A homomorphic cryptosystem has theproperty that when any specific algebraic operation is performed onthe data input before encryption, the resulting encryption is same as if

80

81

82

83

an algebraic operation is performed on the data input after encryption[3]. Homomorphic property of public key cryptosystems has beenemployed in various data security protocols like electronic votingsystem, bidding protocols, cashing systems and asymmetric finger-printing of images [4].

The classical approach of applying cryptographic techniques tovisual data, e.g. an image, is to convert each pixel or block of pixels ofthe image into a ciphered value and transmit it through some channel,not necessarily secure, towards the receiver. The receiver applies thedecryption algorithm on the encrypted image to transform it back toits original pixel form. Due to the large size of the visual data, largerstorage capacities, computation time and higher transmissionbandwidths are required. Keeping these three factors in view, mostof the existing systems rely on symmetric cryptosystemwhich, due tothe use of limited key size, produces a ciphered image that not onlyrequires low computation time during encryption or decryption butalso lower memories relative to the asymmetric cryptosystems [5–7].Asymmetric cryptosystems usually employ relatively larger key sizesfor data encryption, resulting in higher memory and computationalcosts. That is why even today they are employed for tasks like keymanagement and authentication.

age sharing, Opt. Commun. (2011), doi:10.1016/

http://dx.doi.org/10.1016/j.optcom.2011.05.079






http://www.sciencedirect.com/science/journal/00304018



T

84

85

86

87

88

89

90

91

92

93

94

95

96

97

98

99

100

101

102

103

104

105

106

107

108

109

110

111

112

113

114

115

116

117

118

119

120

121

122

123

124

125

126

127

128

129

130

131

132

133

134

135

136

137

138

139

140

141

142

143

144

145

146

147

148

149

150

151

152

153

154

155

156

157

158

159

160

161

162

163

164

165

166

167

168

169

170

171

172

173

174

175

176

177

178179180181182

183

184

185

186

187188189

190

191192193

194

195

196

197

198

199

200

201

202

203

204

205

2 N. Islam et al. / Optics Communications xxx (2011) xxx–xxx

UNCO

RREC

For the shared trust and distributed environment, secret sharingschemes provide sufficient security in various communicationapplications. Secret sharing is a method to divide a secret S intocertain l number of shares i.e. s1, …, sl, where each individual share sidoes not have any information about the secret S. The secret S can bereproduced if k shares (with k≤ l) are combined. Traditional secretsharing schemes can be traced back to the (k, l) threshold schemewhich partitions the secret message into l shares and requires at leastk ormore shares for the reconstruction. Secret sharing over visual datais called Visual Secret Sharing (VSS), where the secret image isrequired to be shared among a group of players and all the shares areneeded in the construction of the secret image [8,9]. The problemwithtraditional secret sharing scheme is the possibility of dishonest dealer,whomay favor some individual or a group of players or may provide awrong share to some players. Similarly, the players are only at thereceiving and decryption end and lacks of player participation in theencryption step limit the capabilities of the secret sharing scheme inmany applications.

Unlike the traditional secret sharing schemes, the proposedscheme does not make shares of the original secret image butconstructs a combined secret from various key-images from theplayers and there is only one resultant image which is to be sharedamong all the players of the secret. Thus, this approach limits thedealer's contribution in the creation of the secret shares and allowsthe player participation for secret sharing trust. In this paper, weprovide two different applications, one employing the additivehomomorphic property of the Paillier cryptosystem [10] and theother relying on the multiplicative homomorphic property of the RSAcryptosystem [1] to share a secret image using l key-images for thesharing, transfer and extraction of the original secret image. With theproposed approach, the processing time to extract the secret sharedimage is very low because it is based on simple arithmetic operations.Moreover, the scrambled shared image preserves the original size. Wewill also notice that the dealer does not intervene in the extractionprocess and no specific order is followed while using the key-imagesof the players.

This paper is organized as follows. In Section 2, we give anintroduction of Paillier and RSA with special reference to theirhomomorphic property and we explain how to apply it to an image.The proposed algorithms are detailed in Section 3, which begins withan application scenario, followed by general steps of the proposedapproach. Due to the multiplicative homomorphic property of RSA,the extracted image could have noisy pixels, therefore the probabilitydistribution of these noisy pixels and their effects is also presented inSection 3. Experimental results along with the security analysis of theproposed scheme are studied in Section 4. Finally, Section 5 gives abrief summary and concluding remarks.

2. Previous work

We denote by Zn the set of integers modulo n, by Zn⁎ the set ofinvertible elements modulo n, i.e. all integers that are relatively primeto n, by gcd() the greatest common divisor, by lcm() the least commonmultiple, by E() the encryption function, by D() the decryptionfunction, by ϕ(n) the total number of integers less than and relativelyprimes to n, byM the message that is partitioned into the blocksm(i),and by C the ciphertext that is partitioned into blocks c(i) in cor-respondence to m(i). In this paper, the term encryption refers to theuse of cryptographic encryption while the term scrambling refers toother techniques which make the signal lose its significance.

This section introduces some classical cryptographic protocols,including both the symmetric and asymmetric cryptosystems. Paillierand RSA cryptosystems are explained in detail with special referenceto their homomorphic character. Thereafter, we discuss the use ofcryptography in image domain along with the partitioning of imageinto blocks for the use of larger key sizes for security. Finally, we

Please cite this article as: N. Islam, et al., Application of homomorphj.optcom.2011.05.079

ED P

RO

OF

present the standard protocol for image transmission and then give abrief description of VSS schemes.

Extra storage capacities and special computation are required formultimedia data, like images, videos or 3D objects, due to theinvolvement of huge amount of data. Various cryptographic tech-niques are used for the secure transfer of multimedia data. Modernimage based cryptographic techniques may involve full encryption orselective encryption of the image, depending on the application. Sincemany applications require real time performance, partial encryption ismostly preferred [11]. Encryption approaches can be divided intosymmetric-key cryptosystems or asymmetric-key cryptosystems. Insymmetric cryptosystems, the same key is used for both encryptionand decryption. Symmetric key cryptosystems are usually very fastand easy to use. Since the same key is used for encryption anddecryption, the key needs to be securely shared between the emitterand the receiver. In asymmetric cryptosystem, two different keys arerequired: the public and the private keys. With the receiver's publickey, the sender encrypts the message and sends it to the receiver whodecrypts the message with his private key. Some known algorithmsare RSA [1], Paillier cryptosystems [10] and El Gamal [12]. RSA and ElGamal are public-key cryptosystemswhich support the homomorphicoperation of multiplication modulo n whereas Paillier cryptosystemsupports the homomorphic addition of encrypted messages.

2.1. Paillier encryption scheme

Pascal Paillier proposed a cryptosystem which is based on com-posite degree residousity class problem [10]. The public and privatekeys are generated as follows. Let n=p×q, where p and q are twolarge and different prime numbers such that gcd(n, ϕ(n))=1,calculate λ(n)= lcm(p−1, q−1) and choose g∈Zn2

⁎ such that gcd(L(gλ(n)mod n2), n)=1, where L tð Þ = t−1ð Þ

n . The public key iscomposed of (n, g) and the private key is composed of λ(n). Thus,the message space is represented by Zn and the cipher space isrepresented by Zn2

⁎ , which means that the size of the cipher spaceis square of the size of the message space.

For the encryption, the plaintext M is partitioned into blocks m(i)such that m(i)bn and for each plaintext m(i) we get a ciphertext c(i).Thus, given a message block m(i) with 0≤m(i)bn, and a public key(n, g), choose a random number ri∈Zn⁎, then the encryption c(i) ofm(i) is given by:

c ið Þ = E m ið Þð Þ ≡ gm ið Þrni mod n2: ð1Þ

Given a ciphertext c(i) with 0≤c(i)bn2 and a private key λ(n), thedecryption m(i) of c(i) is given by:

m ið Þ = D c ið Þð Þ ≡L cλ nð Þ mod n2� �L gλ nð Þ mod n2� � mod n: ð2Þ

Cryptosystems are either deterministic or probabilistic: determin-istic cryptosystem produces the same ciphertext every time for thesame plaintext and keys while probabilistic cryptosystem, like Paillier,includes a random number ri which produces different values for theciphertext providing the same plaintext.

Example: assume primes p and q are given as p=7, q=11, thenn=p×q=77. Let g=2, r1=5, r2=6 and let the two messages bem1=4 andm2=5. Then, the encryption ofm1 is given as: c1≡gm1×r1

n

mod n2=24×577mod 772=3436 and the encryption of m2 is givenas: c2≡gm2×r2

n mod n2=25×677 mod 772=4623.

2.2. RSA cryptosystem

RSA is a well known asymmetric cryptosystem, developed in 1978[1]. The main procedure consists of selecting two large and different

ism to secure image sharing, Opt. Commun. (2011), doi:10.1016/



Original text:

Inserted Text

"s"

Original text:

Inserted Text

"’"

Original text:

Inserted Text

"are"

Original text:

Inserted Text

"’"

T

206

207

208

209

210

211

212

213214215

216

217218219

220

221

222

223

224

225

226

227

228229230

231

232

233234235236237

238239

240241242

243

244245246

247

248

249

250251252

253

254

255

256

257

258

259

260

261

262

263

264

265

266

267

268

269

270

271

272

273

274

275

276

277

278

279

280

281

282

283

284

285

286

287

288

289

290

291292293

294

295296297

298

299

300

301

302

303

304305

1 For example: 8 bits for a gray level image.

3N. Islam et al. / Optics Communications xxx (2011) xxx–xxx

UNCO

RREC

prime numbers p and q, calculating their product n=p×q andselecting an integer e, which is relatively prime to ϕ(n) and with1bebϕ(n), where ϕ() is the Euler's function. We need to calculate d,the inverse of e with d≡e−1mod ϕ(n). The public key is composed ofthe couple (e, n) and the private key is (d). For the encryption, theplaintext M is also partitioned into blocks m(i) such that m(i)bn andfor each plaintext m(i) we get a ciphertext c(i):

c ið Þ = E m ið Þð Þ ≡ m ið Þe mod n: ð3Þ

For the decryption, with the ciphertext c(i) we can obtain theoriginal plaintext m(i) by the equation:

m ið Þ = D c ið Þð Þ ≡ c ið Þd mod n: ð4Þ

Example: assume primes p and q are given as p=7, q=17, thenn=p×q=119. If e=5, then gcd(ϕ(119), 5)=1 and we get d≡e−1

mod ϕ(n)=77. Let the input message be m1=22 and m2=19, thenthe encryption of m1 is given as: c1≡225mod 119=99 and theencryption of m2 is given as: c2≡195mod119=66.

2.3. Homomorphism

Most of the well known asymmetric cryptosystems follow eitheradditive homomorphism or multiplicative homomorphism. Afunction is said to be homomorphic if it obeys the following condition:

f x ⊕ yð Þ = f xð Þ ⊗ f yð Þ; ð5Þ

where ⊗ and ⊕ may be any distinct arithmetic operations. InCryptography, any encryption algorithm E() is said to be homomor-phic if, given E(mx) and E(my), one can obtain E(mx⊕my) withoutdecrypting E(mx) and E(my) [13]. For E(), with Eq. (5) we have then:

E mx ⊕ my

� �= E mxð Þ ⊗ E my

� �; ð6Þ

where ⊕ and ⊗ can be addition or multiplication. Usually the ⊕operation is either addition or multiplication while the⊗ operation ismultiplication. A decryption function D() is said to be homomorphicif:

D E mxð Þ ⊗ E my

� �� = D E mx ⊕ my

� �� ; ð7Þ

and then:

D E mxð Þ ⊗ E my

� �� = mx ⊕ my: ð8Þ

With the algorithm of Paillier, the decryption obeys the followinghomomorphic property: ∀m(i)∈Zn and i∈N,

D ∏p

i=1E m ið Þð Þmod n2

� �≡ ∑

p

i=1m ið Þmod n: ð9Þ

Due to additive homomorphic property, Paillier cryptosystem iswidely used in electronic voting system.

Similarly, the decryption function of the RSA algorithm obeys thefollowing multiplicative homomorphism:

D ∏p

i=1E m ið Þð Þmod n

� �≡ ∏

p

i=1m ið Þmod n: ð10Þ

For the proposed approach, presented Section 3, we have usedthese two properties.

Example (Paillier): with the values of the example presented inSection2.1wehave c3=c1×c2≡3436×4623mod772=837. Applyingthe decryption algorithmover c3 results in 9,which is equivalent to the


ED P

RO

OF

addition of the two plaintexts i.e. m3=m1+m2≡4+5 mod 77=9.Hence Paillier supports homomorphic operationof additionmodulo n2

over the plaintext, presented in Eq. (9).Example (RSA): with the values of the example presented in

Section 2.2 we have c3=c1×c2≡99×66mod 119=108. Applying thedecryption algorithm over c3 results in 61, which is equivalent tothe multiplication of the two plaintexts i.e. m3=m1×m2≡22×19mod 119=61. Hence RSA supports homomorphic operation ofmultiplication modulo n, presented in Eq. (10).

2.4. Image encryption

If one considers the message space of an image limited to the sizeof the pixel and does not want to increase the size of the encryptedimage, then the required key size is very limited. This makes thesecured image vulnerable to any brute force attack and an adversarymay be able to retrieve the key. Contrary to the limited-sized key, ifhigher level security is provided through standard key size like 1024bits, the overall size of the encrypted image may increase up to thekey-sized multiple its initial size, depending on the cryptosysteminvolved. Extreme care must be taken while calculating the values ofthe keys because the quality of the encrypted image depends on thevalue of the public key and bad keys can produce encrypted imageswhich resemble the original image [14]. In the block-based imageencryption scheme, as described in Section 2 for plaintext M, theimage is partitioned into equal-sized blocks, depending on the size ofthe key. The creation of block and encryption should be carried out insuch a way that the encrypted image does not reveal any structuralinformation about its original contents. Other recent approaches inimage security are based on chaotic functions, which are character-ized by ergodicity (stochastic behavior of image), extreme depen-dence on initial condition and randomness in the image [15–17]. Theuse of carrier image for the encryption of image has been presented in[18] using private key cryptosystem in the frequency domain.

If the length of the encryption key is γ bits, then the number ofpixels, b, in each block is given by:

b = γ= kd e; ð11Þ

where k is the number of bits in a single pixel.1 Let an image composedof H×L pixels p(i), where 0≤ ibH×L, the construction of the blockvalues from the original image pixels p(i) is given as:

m ið Þ = ∑b−1

j=0p i�b + jð Þ × 2kj

; ð12Þ

where 0≤ ib ⌈H×L/b⌉ for the block-partitioned image.For Paillier cryptosystem, to be applied on each block, let m(i) be

the ith constructed block of an image, then the encryption of m(i) isgiven by Eq. (1), wherem(i) is coded on γ bits and c(i) is coded on 2γbits. Similarly for RSA cryptosystem, the encryption ofm(i) is given bythe Eq. (3), where m(i) and c(i) both are coded on γ bits.

After the decryption, the extraction of the original pixels from thetransformed blocked image is given by:

if j = 0

p i × b + jð Þ ≡ m ið Þmod 2k

else

p i × b + jð Þ ≡ m ið Þmod 2k j + 1ð Þ

−∑j−1l = 0p lð ÞÞ= 2kj

:

8>>>>>>>><>>>>>>>>:

ð13Þ




Original text:

Inserted Text

"("

Original text:

Inserted Text

")"

Original text:

Inserted Text

"("

Original text:

Inserted Text

")"

Original text:

Inserted Text

"’"

Original text:

Inserted Text

"grey "

T306

307

308

309

310

311

312

313

314

315

316

317

318

319

320

321

322

323

324

325

326

327

328

329

330

331

332

333

334

335

336

337

338

339

340

341

342

343

344

345

346

347

348

349

350

351

352

353

354

355

356

357

358

359

360

361

362

363

364

365

366

367

368

369

Fig. 1. Standard way for image transmission.


RREC

2.5. Standard protocol for image transmission

The standard protocol for secure data transfer is based on thesecurity of the keys. In a standard asymmetric procedure, if a user P1wants to send an image M1 to user P2, he will first encrypt the imagewith the public key of the receiver i.e. P2. This encrypted image will bethen transmitted to the user P2 over a transmission channel, notnecessarily secured. At the receiving end, in order to read the image,the user P2 will decrypt the image with his private key, as shown inFig. 1.

In the case where l players want to share and transmit anencrypted image, a naive way would require l keys for the encryptionof the secret image. Each player will encrypt the image with hisprivate key and for the decryption of the secret shared image, eachplayer will be required to use his private key to decrypt the secretimage. The major disadvantage is the computational cost involved atboth the sending and receiving ends, as shown in Fig. 2.

2.6. Visual cryptography

Visual cryptography, introduced by Naor and Shamir [9], involvesthe encoding of a secret image S into l shared images. These sharedimages are distributed among the players but each of them does notreveal any information about the secret image. Moreover, the secret

UNCO

Fig. 2. A naive approach for encryption an


ED P

RO

OF

image can only be revealed if the l shared images are stacked. In (k, l)-threshold scheme, the secret S can only be reconstructed from any kout of l shares but not fewer. The (k, l)-threshold scheme was furtherextended to general access structures when the concept of qualifiedsets and forbidden sets were introduced [19]. Here a set T=(1, …, l)is called the participant set, which is partitioned into two subsetscalled the qualified t(1)qual and the forbidden t(2)forb sets, such that,t(1)qual∩ t(2)forb=ϕ and the pair(t(1), t(2)) is called the generalaccess structure of the scheme. The minimal qualified set is definedas: Min(qualified)={A∈ t(1)qual:A′∉ t(1)qual, ∀A′⊂A}.

VSS schemes were mostly applied on a single grayscale image butfurther developments on multiple secret image sharing have beenproposed in [20]. One of the characteristics of the traditional visualsecret sharing schemes was that the reconstructed image had a lot ofnoise, i.e. the reconstructed image was not 100% the original secretimage and that is why a number of methods were introduced for thequality optimizations of the decrypted images [21]. Similarly the useof multiple grayscale or color secret image in VSS schemes wasstudied in [22–24].

Unlike VSS, the proposed approach is based on the contribution ofsecret shares of all the players for the creation of a secret sharingprotocol using some public key cryptosystem. During the extraction ofthe secret image, all the l secret shares are required which isanalogous to (l, l) scheme in VSS. It must be noted that for additivehomomorphic scheme the proposed approach can be used as (l−1, l)scheme for the extraction of a missing key-image being utilized in thesecret sharing process. Also the (l, l) scheme can be modified to (l , l)scheme in additive homomorphism, where l represents any visualdistortions (such compression, filtering, noise, …) in the key-imagesduring the process of extraction (presented Section 4.1). In theproposed approach, presented inSection 3, the dealer wants to share asecret image among l players, but to extract the shared image, the lplayers do not need the dealer.

3. The proposed encryption method

In this section we first give a scenario where the proposedapproach can be used. This is followed by an overview of the proposedapproach which includes the encryption and decryption stepsfollowed by the extraction of the secret shared image. We discussthe problems of multiplicative homomorphic cryptosystem of RSAduring the extraction process, which can lead to visual loss of pixels(noisy pixels) in the extracted shared secret image. We analyze theprobability distribution of such noisy pixels, due to RSA cryptosystem,for various block sizes.

d decryption of shared secret image.




Original text:

Inserted Text

"has"

Original text:

Inserted Text

" percent"

Original text:

Inserted Text

"were"

T

370

371

372

373

374

375

376

377

378

379

380

381

382

383

384

385

386

387

388

389

390

391

392

393

394

395

396

397

398

399

400

401

402

403

404

405

406

407

408

409

410

411

412

413

414

415

416

417

418

419

420

421

422

423

424

425

426

427

428

429

430

431

432

433

434

435

436

437

438


C

3.1. Scenario

Assume that a secret image is to be shared by a dealer among agroup of l remote skeptic players. Since the players and the dealer donot trust each other, traditional secret sharing schemes which requirethe dealer to make share of the secrets, would not be applicable in thisscenario. We assume that each remote player has his own secretimage called key-image, which is used in the creation of the proposedshared secret. The proposed secret sharing scheme makes a singleshare which is given to each player as a secret shared image. Thesecret image can be reconstructed when the shared secret image plusthe l key-images are combined together. If modern cryptographicapproaches are applied, the naive way would require l keys for theencryption and the decryption of the shared secret image as describedin Section 2.5.

To accomplish this secret sharing, the dealer transmits to eachplayer a scrambled shared secret image which is constructed from allthe key-images of the l players. The l players can then togetherconstruct the secret image. Note that the processing time is decreasedduring the extraction of the secret image because no decryptionalgorithm is required. We can also notice that the dealer has no roleduring the extraction and the secret shared image has preserved theoriginal size.

3.2. Overview

As described in the scenario, the purpose of the proposed schemeis to securely share a secret image among a group of l players and evenif an intruder gets a copy of the protected shared image, he must notbe able to extract the original secret image. Also, at the receiving end,traditional arithmetic operation is used for the extraction of the secretimage. This reduces the load of decryption at each step. Thuscomputation gain at the receiving end is achieved due to the use ofkey-images. Let a secret image be shared among l participants, whereeach of the l participants has his own key-image and all the imageshave the same size. We take these l+1 images –M1, …, Ml and thesecret image to be shared,Mx– and partition each image into blocks by

UNCO

RRE

Fig. 3. Overview of pr


ED P

RO

OF

using Eq. (12). With the public key given by the dealer, an asymmetricencryption is applied on each block of the l+1 transformed images.Note that the same public key is used for the individual encryption ofthe l+1 images.

After all the l+1 images have been encrypted, the proposedapproach takesmodulomultiplication of the l+1 encrypted images ina specific order so that none of the individual secret image is exposedto any other participant and no information about the number of theparticipants are revealed and thus get another encrypted image Cy.Because of the homomorphic property, this encrypted image must bethe same if we had first applied any arithmetic operation like additionor multiplication over the l+1 original images to get a scrambledimage and then apply a homomorphic encryption algorithm. Thisencrypted image Cy is decrypted to get a scrambled imageMy which istransferred over any insecure channel, to be shared among therecipients. Since My contains components of all the l key-images andthe secret original image Mx, one can extract any one of the l+1original images if l key-images are available. At the receiving end, aswe have the l key-images and we have the scrambled image My, wecan then extract the secret original image Mx.

3.3. Encryption step

For each block of the l+1 images M1, …, Ml and Mx, the proposedscheme can be developed with the two homomorphic encryptionschemes presented in Section 2, Paillier and RSA, using Eqs. (1)and (3).

The individual encryption of the l+1 original images i.e. M1,…,Ml

(l key-images) and Mx (secret image) will result into l+1 encryptedimages C1, …, Cl and Cx, respectively. Incremental multiplication ofeach encrypted image with another encrypted image results in a newencrypted image, which is fed-forward into the homomorphicmultiplication process till the secret encrypted image Mx is input togive the final encrypted image Cy in the end, as shown in Fig. 3. Thusall the individual encrypted images are used in the process of securingthe secret image Mx but no individual key-image is revealed. Sincetwo different encryption schemes can be used, the size of each block

oposed method.




Original text:

Inserted Text

" is to"

Original text:

Inserted Text

"are"

Original text:

Inserted Text

"-"

Original text:

Inserted Text

"-"

Original text:

Inserted Text

"in"

T

439

440

441

442

443

444

445

446

447448449

450

451452453

454

455

456

457

458

459

460

461

462

463464

465

466

467

468

469

470

471472473

474

475

476

477

478

479

480

481

482

483

484

485

486

487488489

490491


of the resultant encrypted image could also be different. Thus, if theproposed scheme is applied over Paillier cryptosystem, each block ofthe l+1 encrypted images C1,…, Cl and Cxwould have values between0 and 22γ−1 while for RSA cryptosystem the block values wouldbe between 0 and 2γ−1. After the step forward multiplication of allthe l+1 encrypted images, modulo operation must be applied to getscrambled blocks of Cy, codable on γ and 2γ bits. For Paillier algorithm,the following equation is followed for the modulo operations:

cy ið Þ ≡ ∏l

l=1cl ið Þ × cx ið Þ

!mod n2

: ð14Þ

For RSA the following equation is followed for the modulooperations:

cy ið Þ ≡ ∏l

l=1cl ið Þ × cx ið Þ

!mod n: ð15Þ

Note that the modulo operation is based on n2 while using Pailliercryptosystem. The encrypted image Cy is built from the blocks cy(i)and its decrypted imageMy is our intended image to be transferred orshared through some channel, not necessarily secured.

3.4. Decryption and extraction for Paillier scheme

The block diagram for the decryption and extraction by theproposed method, using the Paillier cryptosystem, is shown in Fig. 4.At the receiving end, we haveM1,…,Ml andMy andwewant to extractMx. Due to the additive homomorphic property of Paillier, we havefrom Eqs. (9) and (14):

my ið Þ ≡ ∑l

l=1ml ið Þ + mx ið Þ

!mod n: ð16Þ

UNCO

RREC

Fig. 4. Decryption and extraction o


ED P

RO

OF

We can compute inverse modulo of Eq. (16), which gives uniquevalues for the blocks mx(i) of the image Mx. Now if M1, …, Ml and My

are given and we want to extract Mx, it is similar to say that m1(i), …,ml(i) and my(i) are given and we want to extract mx(i), i.e. we areinterested in solution of a modular equation if mx(i) is not known.Sincem1(i),…,ml(i) andmy(i) are given, then from Eq. (16) we have:

mx ið Þ ≡ my ið Þ− ∑l

l=1ml ið Þ

!mod n: ð17Þ

With Paillier cryptosystem, the approach is totally reversible, wecan extract the secret shared imagewithout loss. As illustrated in Fig. 4,the processing time is decreased during the extraction of the secretimage because no decryption algorithm is carried out. We can alsonotice that the dealer does not intervene in the extraction process andno specific order of using the key-images of the players is necessary.

3.5. Decryption, extraction and reconstruction for RSA scheme

3.5.1. Extraction of the best solutionThe process of decryption and extraction using RSA is analogous to

Paillier cryptosystem in Fig. 4 but since RSA is multiplicativehomomorphic, the operations in Fig. 4 are changed to multiplication.At the receiving end, we haveM1,…,Ml andMy andwewant to extractMx. Due to the multiplicative homomorphic property of RSA, we havefrom Eqs. (10) and (15):

my ið Þ ≡ ∏l

l=1ml ið Þ × mx ið Þ

!mod n: ð18Þ

The extraction of secret image mx(i) is given as:

mx ið Þ ≡ my ið Þ × ∏l

l=1ml ið Þ−1

!mod n: ð19Þ

f the protected shared image.




Original text:

Inserted Text

"tothe"

T

492

493

494

495

496

497

498

499

500

501

502

503

504

505

506

507

508

509

510

511

512513514

515

516

517

518

519

520

521

522

523

524

525

526

527

528

529

530

531

532

533

534

535

536

537

538

539540

541542

543

544545546

547

548549550

551

552

553

554

555

556

557

558

559

560

561

562

563

564

565

566

567

568

569

570

571

572

573

574

575

576577578

579

580

581582

583584585

586


UNCO

RREC

The result presented in Eq. (19) holds onlywhen the initial data setdo not contain factors of the prime product n=p×q. Indeed, duringthe multiplicative inverse operation multiple solutions for theextraction can appear. It means that multiplicative homomorphiccryptosystem generates noise in the decryption and extractionprocess due to prime multiplicity.

In order to explain the prime multiplicity problem in multiplica-tive homomorphic cryptosystem, we try to apply the proposedscheme on two images which have pixel-block values which arefactors of the prime product. We assumed that a secret imageMx is tobe shared or transferred through insecure channel and a key-imageM1 is used as a carrier image for security. After the application of theproposed scheme, a third imageMy is receivedwhich is now the secretshared image. Now if the key-imageM1 and shared imageMy are bothavailable, the extraction of the secret image Mx is possible, but thisextracted image Mx will have missing or noisy pixels which willrequire post processing. The block diagram of the proposed methodusing the RSA cryptosystem for extraction and reconstruction for twoimages is shown in Fig. 5. Due to the multiplicative homomorphicproperty of RSA, according to Eq. (18) we have:

my ið Þ ≡ m1 ið Þ × mx ið Þmod n: ð20Þ

We can do inverse modulo operation on Eq. (20), which givessingle values for the blocksm1(i) ofM1 which are relatively prime to nand multiple solutions for the blocks m1(i) which are not relativeprimes to n. The reconstruction step consists in choosing the bestvalue among the multiple solutions for particular pixels in order toreconstruct the original image Mx.

In order to explain the principles that make the extraction of thesecond imageMx possible, let us consider that p and q are primes suchthat pbq, and n=p×q. Let m1(i), mx(i) and my(i) three integersbetween 0 and n-1, satisfying Eq. (20). Then, if M1 and My are givenand we want to extractMx, it is similar to say thatm1(i) andmy(i) aregiven and we want to extract mx(i). We are interested in the solutionof the above modular equation ifmx(i) is not known. To extractmx(i),we have two cases presented in Proposition 3.1.

Proposition 3.1. If m1(i) and n are relatively primes, then mx(i) has aunique solution. Contrary to this, if m1(i) and n are not relative primethen there exists p solutions if m1(i) is multiple of p, or q solutions if m1(i)is multiple of q.

Proof 3.1. The first part of the proposition is trivial, we explain thesecond part i.e. the case where m1(i) and n are not relatively primes.In this case, the only common divisors possible to m1(i) and n, are p andq. That is, m1(i) is multiple of p or q. Suppose that m1(i) is multiple ofp, then m1(i)=k×p, where k∈{1, …, q−1}. Thus, p divides m1(i) andn, and from the Eq. (20)p also divides my(i). We can then write my ið Þ =p ×m̃y ið Þ, Eq. (20)signifies that there exists an integer l such that:

k × p × mx ið Þ = p × m̃y ið Þ + l × p × q; ð21Þ

and thus dividing by p gives:

k × mx ið Þ = m̃y ið Þ + l × q: ð22Þ
587
Fig. 5. Extraction and reconstruction of i


ED P

RO

OF

Thus, we have:

k × mx ið Þ ≡ m̃y ið Þmod q: ð23Þ

Since k is strictly less than q, it is relatively prime to q and thusinvertible modulo q, therefore:

mx ið Þ ≡ k−1 × m̃y ið Þmod q: ð24Þ

This single solution modulo q leads to p solutions modulo n for theblock mx(i): one before q, one between q and 2q and so on; in the case ofm1(i) is multiple of q, we have in the same way q solutions. □

Since we may have multiple solutions for these noisy blocks ofMx,indeed a lot of values would be factors of the initial primes p and q, sothey would give multiple solutions for each noisy block of Mx, thesesolutions must be less than or equal to {1,…, q} and the original valueof the noisy block of Mx belongs to this solution set. We would keepstoring this solution set for each noisy block.

In order to select the best value from the solution set for the noisyblock and to remove the noisy blocks from the extracted Mx, we cantake advantage of the homogeneity of the visual data, as there is highdegree of coherence in the neighborhood of a given image pixel. So wecalculate the average of the non-noisy pixel neighbors of noisy blocksof Mx and this average value is compared with each value of thesolution set for the corresponding pixels, and then select the valuefrom the solution set which is giving us the least distance fromaverage value.

3.5.2. Probability distribution of noisy pixelsBy using RSA cryptosystem, noisy pixel blocks are generated

during the extraction of the original secret image. These noisy pixelsare the values of the pixels of the original image which are factors ofthe initial primes being selected. Finding the probability distributionof these noisy pixels would help us in selecting the size of the block.

If p and q represent the initial primes in bits, then the probability ofnon-noisy or correct pixels is given by:

P Non Noisyð Þ = 1− 1p

+1q

� �: ð25Þ

Obviously the total number of blocks (TB) is the sum of the totalnumber of correct blocks (TCB) and noisy blocks (TNB), i.e. TB=TCB+TNB. If we group the pixels into a block the TCB would be:

TCB = TB × 1− 1p

+1q

� �� ; ð26Þ

and the TNB would be given by:

TNB = TB ×1p

+1q

� �: ð27Þ

The TNB will depend on the p and q values. Theoretically, tominimize TNB, we should have p = q =

ffiffiffin

pbut experimentally, that

is not possible.

mage Mx having pixels of image M1.




UNCO

RRECTED P

RO

OF

Fig. 6. a)–f) 6 secret original images M1, …, Ml, g)–l) Encrypted images with Paillier of (a)–(f), respectively.


Please cite this article as: N. Islam, et al., Application of homomorphism to secure image sharing, Opt. Commun. (2011), doi:10.1016/j.optcom.2011.05.079



Original text:

Inserted Text

"-"

Original text:

Inserted Text

"-"

Original text:

Inserted Text

"-"

T

588

589

590

591592

593594

595

596

597

598599600

601

602

603

604

605

606

607

608

609

610

611

612

613

614

615

616

617

618

619

620

621

622

623

624

625

626

627

628

629

630

631

632

633

634

635

636

637

638

639

640

641

642

643

644

645

646

647

648

649

650


Assume that we have a block of single pixel, then the value of pand q would be p≈24 and q≈24, if we assume the image size 512×512=218 pixels. Then P Non Noisyð Þ = 1− 1

24+ 1

24

� �= 1− 1

23, and

total number of correct blocks are given by TCB = 218 ×1− 1

24+ 1

24

� �� = 218−215 blocks. The total number of noisy blocks

is given by TNB = 218 × 124

+ 124

� �= 215 = 32768 blocks.

If the block size is two pixels, then the number of blocks in theimage will be 217 and probability distribution of noisy blocks isP Non Noisyð Þ = 1− 1

28+ 1

28

� �= 1− 1

27and total number of correct

blocks is given by TCB = 217 1− 128

+ 128

� �� = 217−210 blocks, and

total number of noisy blocks is given by TNB = 217 × 128 + 1

28

� �=

210 = 1024 blocks.The above theoretical results are based on the symmetrical

selection of initial primes with respect to the number of bits. Theterm symmetrical means that the sizes of the primes are approxi-mately equivalent. The selection of non-symmetrical primes ispossible and mostly useful for the sake of security as the interest isonly in the product of primes p×q=n.

4. Experimental results and discussions

In this section, first experiments over the proposed approach onPaillier and RSA cryptosystems are discussed. Thereafter, securityanalyses for the proposed approaches are carried out in the shape ofvarious tests like analysis of entropy, local standard deviation,correlation of adjacent pixels and key sensitivity test.

4.1. A full example of the proposed scheme involving PaillierCryptosystem

For the demonstration of the proposed scheme over PaillierCryptosystem, experimental tests were carried out on six gray levelkey-images and a secret map image, where each image is 8 bits/pixelhaving a size of 512×512 pixels.

UNCO

RREC

Fig. 7. a) Secret image to be shared (Mx), b) Encrypted image with Paillier of (a), c) EncryHistogram of (a), (b) and (c), respectively.


ED P

RO

OF

Since the size of keys for encryption and decryption is chosen to be512 bits, the block size is n=512/8=64 pixels, so each block consistsof 8×8 pixels. The encryption of six key-images M1, …, M6 and asecret map image Mx is given by C1, …, C6 and Cx. These encryptedimages are further scrambled by applying a multiplication modulo n2

in a specified order to get a new encrypted image Cy. Cy is thendecrypted to get My which is our intended scrambled image to beshared through some transmission channel, not necessarily secured.Fig. 6.a–f presents the 6 original key-images of the players. Fig. 6.g–lillustrates the corresponding encrypted images obtained from the 6key-images, where the image in Fig. 7.a is the secret image to beshared securely by the dealer (treasure map), Fig. 7.b is the encryptedversion of Fig. 7.a while Fig. 7.c corresponds to the encrypted imagefrom the multiplication of the 7 encrypted images from Figs. 6.g–land 7.b.

4.1.1. Extraction with the l key-imagesIn Fig. 8, we show the decryption and extraction of the shared

secret image. Fig. 8.a illustrates the decrypted image which is actuallythe sum of the l+1 images that is used for the onward transfer.Finally, Fig. 8.b shows the reconstructed image which is 100% same asthe original image Mx. It may be noted over here that thereconstructed image does not depend on the order to subtract the lkey-images.

4.1.2. A model of generalized (l-1,l)In order to understand the tolerance of the proposed scheme in the

absence or modification of a key-image, it has been observed that theproposed scheme under Paillier cryptosystem is tolerably sensitive toany change in the key-image. This tolerance reflects the additivehomomorphic property of Paillier. Experiments were performed inorder to understand the behavior of additive homomorphic propertywhile making changes in any of the key-image and observe its impactover the resultant extracted image. For this purpose, during theextraction, one of the key-images from Fig. 6.a–f was replaced with a

pted image Cy obtained from multiplication of Fig. 6.g to 6.l and Fig. 7.b, d), e) and f)




Original text:

Inserted Text

"are"

Original text:

Inserted Text

"are"

Original text:

Inserted Text

"are"

Original text:

Inserted Text

"are"

Original text:

Inserted Text

"-"

Original text:

Inserted Text

"-"

Original text:

Inserted Text

"-"

Original text:

Inserted Text

" percent"

Original text:

Inserted Text

"-"

OF

651

652

653

654

655

656

657

658

659

660

661

662

663

664

665

666

667

668

Fig. 8. a) Decrypted image of Fig. 7.c which is the scrambled shared image, b) Extracted image.


JPEG compressed image at different compression quality factors.Fig. 9.b and d represent the extracted secret images when the key-image in Fig. 6.d is compressed with JPEG at a quality factor of 25%, asshown Fig. 9.a, and 50%, as shown Fig. 9.c. Sharp observation revealssome noisy pixels in the extracted images illustrated Fig. 9.b and d, butthe overall quality is good, as corraborated by its PSNR which wasobserved to be greater than 35 dB. It can be concluded from theseexperiments that small variations in the original data can be tolerableand the extraction of the secret image is possible.

UNCO

RRECT

Fig. 9. a) Compressed key-image at a quality factor of 25% (PSNR=36.58 dB), b) ExtractedImage at a quality factor of 50% (PSNR=38.90 dB), d) Extracted secret image using the com


PROTo make our scheme analogous to the (k, l) threshold scheme,

described in Section 2.6, we have tailored our method to a (l−1, l)scheme by replacing one of the key-images with a neutral homoge-neous image where all the pixels are set to 128 intensity, as shown inFig. 10.a. This replacement is tantamount to the absence of the imagein question, making our scheme conform to the (k, l) threshold. Anumber of experiments were performed to this effect, e.g.Fig. 10.b.illustrates the extracted imagewhen the key-image presented Fig. 6.b.is missing and replaced by a homogeneous image given in Fig. 10.a.

ED

secret image using the compressed image of Fig. 9.a (PSNR=36.48 dB), c) Compressedpressed image of Fig. 9.c (PSNR=38.78 dB).




T

OF

669

670

671

672

673

674

675

676

677

678

679

680

681

682

683

684

685

686

687

688

689

690

691

692

693

694

695

696

697

698

699

700

701

702

703

704

705

706

707

708

709

710

711

712 Q1713

714

715

716

717

718

719

720

721

722

723

724

725

726

727

728

729730731

732733734

735736737

738

739

740

741

742

Fig. 10. a) A homogeneous image, b) The resultant extracted secret image.


UNCO

RREC

This experimentation shows that the extraction of the secret image isapproximately possible in the absence of one key-image.

4.2. A full example employing RSA

Fig. 11 illustrates an example of the proposed method using theRSA algorithm. Like the Paillier cryptosystem, experimental tests werecarried out on six gray level key-images and a secret Lena image,where each image is 8 bits/pixel having a size of 512×512 pixels. Thesize of the keys for encryption and decryption is chosen to be 512 bits,thus the block size becomes 64=8×8 pixels. With this key size, theprobability of pixel block values which are factors of prime product isvery small as explained in Section 4.2.1. Fig. 11.a–f presents theoriginal images and Fig. 11.g–l presents the corresponding encryptedimages with the RSA. Fig. 12.a presents the secret Lena image to beshared among the participants, Fig. 12.b presents the encrypted Lenaimage, Fig. 12.c presents the multiplication of the encrypted Lenaimage with the other encrypted images using the proposed protocol.Fig. 12.d–f presents the histogram of the images in Fig. 12.a–crespectively. Fig. 13.a presents the decrypted image of Fig. 12.c, whileFig. 13.b presents the extracted secret image of Lena.

As explained in Proposition 3.1, there may exist pixel block valueswhich are factors of the prime product and which may lead tomultiple solutions while extracting the secret image. For this purpose,we used Lena image and another image keeping the prime values toosmall to have multiple solutions. In Fig. 14, we show the extractionand reconstruction of the shared secret image. Fig. 14.a illustrates theextracted image with noisy blocks of two pixels having multiplepossible solutions.2 Finally, Fig. 14.b shows the reconstructed image,where the missing or noisy pixels were reassigned the mean value ofnon-noisy neighboring pixels. This latter image is visually more closeto the original image, as revealed by its PSNR of 47.8 dBwith referenceto the original Lena image. This value shows high degree of likenessbetween the original and the reconstructed image.

4.2.1. Selection of block sizeExperiments for the selection of block size have been performed on

100 different images, based on the selection of primes of nearly equalsizes.We found that the larger the block size, greaterwill be the securityand lower the risk of the noisy pixels. Table 1 shows the probabilitydistribution of noisy blocks for various block sizes. For our experiments,the initially selected primes were symmetric with respect to bit size. InTable 1, we can see that as the block size increases, the probability of

743744745

746

2 For visual illustration we have chosen blocks of two pixels even if the security levelis not high.


ED P

ROnoisy blocks decreases. The experimental results over an average of 100

images with noisy blocks (third column) confirms the statement aboutthe inverse relationship between the size of the block and thenumber ofnoisy blocks (Table 2). We observe that, as a rule of thumb, when theblock size increases beyond 4 pixels, noisy pixel blocks are rarelyobserved.

For the sake of simplicity, note that primes of nearly equal sizeshave been taken for these experiments. Fig. 15.a–d shows thegraphical representation of the results when single, double, 2×2=4and 4×4=16 pixel block are selected.

4.3. Security analysis

4.3.1. Analysis of entropy and local standard deviationThe security of the encrypted images can be measured by

considering the variations (local or global) in the protected images.Considering this, the information content of image can be measuredwith the entropy H(X), where entropy is a statistical measure ofrandomness or distortion that ismostly used to characterize the texturein the input images. If an image has 2k gray levels αi with 0≤ ib2k andthe probability of gray level αi is P(αi), and without considering thecorrelation of gray levels, the entropy H(X) is defined as:

H Xð Þ = − ∑2k−1

i=0P αið Þlog2 P αið Þð Þ: ð28Þ

If the probability of each gray level in the image is P αið Þ = 12k, then

the encryption of such image is robust against statistical attacks, andthus H(X)= log2(2k)=k bits/pixel. In an image, the informationredundancy r is defined as:

r = k−H Xð Þ: ð29Þ

When r is close to 0, the security level is acceptable. Theoreticallyan image is an order-M Markov source, with M being the image size.In order to reduce the complexity, the image is cut into small blocks ofsize n and considered as an order-n Markov source. The alphabet ofthe order-n Markov source, called X′, is βi with 0≤ ib2kn and theorder-n entropy H(X′) is defined as:

H X′� �

= H Xn� �= − ∑

2kn−1

i=0P βið Þlog2 P βið Þð Þ: ð30Þ

We used 2k=256 gray levels and blocks of n=2 or 3 pixelscorresponding to a pixel and its preceding neighbors. In order to have




Original text:

Inserted Text

"-"

Original text:

Inserted Text

"-"

Original text:

Inserted Text

"-"

Original text:

Inserted Text

"-"

Original text:

Inserted Text

"-"

UNCO

RRECTED P

RO

OF

Fig. 11. a–f) 6 key-images M1, …, Ml, g–l) Encrypted images with RSA of (a)–(f), respectively.





Original text:

Inserted Text

"-"

Original text:

Inserted Text

"-"

Original text:

Inserted Text

"-"

UNCO

RRECTED P

RO

OF

Fig. 12. a) Secret image to be shared (Mx), b) Encrypted image with of (a), c) Encrypted image Cy obtained frommultiplication of Fig. 11.g to Figs. 11.l and 12.b, d), e) and f) Histogramof (a), (b) and (c), respectively.

Fig. 13. a) Decrypted image of Fig. 12.c which is the scrambled image, b) Extracted image.

Fig. 14. a) Extracted image with blocks of two pixels, b) Reconstructed image.





747

748

749

750

751

752

753754755

756

757

758

759

760

761

762

763

764

765

766

767

768

769

770

771

772

773

Table 1t1:1

Probability Distribution of noisy blocks for image size of 512×512.t1:2t1:3 Block size

in pixelsNumberof blocks

Average theoreticalnoisy pixels blocks

Average experimentalnoisy pixels blocks

t1:4 1 218 215 34,650t1:5 2 217 210 1223t1:6 2×2=4 216 2 1.8t1:7 4×4=16 214 2−53 0t1:8 8×8=64 212 2−243 0t1:9 16×16=256 210 2−1018 0t1:10 32×32=1024 28 2−4091 0t1:11 64×64=4086 26 2−16380 0

Table 2t2:1

1st order and 2nd order entropy of original images over Paillier scheme and RSAscheme.

t2:2t2:3 H(X) 1st order entropy

(bits/pixels)2nd order entropy(bits/pixels)

t2:4 Original map image 7.28 13.35t2:5 Paillier Scheme 7.99 15.80t2:6 Original lena image 7.45 12.33t2:7 RSA scheme 7.99 15.76


minimum redundancy i.e. r≈0, as required by Eq. (29), we shouldhave k=8 bits/pixel for Eq. (28) and k=16 or 24 bits/block forEq. (30).

UNCO

RRECT

Fig. 15. Noise frequency for 100 images of size 512×512: a) In single pix


PRO

OF

We also analyzed the variation of the local standard deviation σ( j)for each pixel p(j) by taking into account its m neighbors to calculatethe local mean p jð Þ according to the following equation:

σ jð Þ =ffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffiffi1m

∑m

i=1p ið Þ−p jð Þ� �2s

; ð31Þ

where m is the size of the pixel block to calculate the local mean andstandard deviation, and 0≤ jbM.

Fig. 16 shows the histograms of the original and the scrambledimages using the proposed two schemes based on the Paillier and RSAcryptosystems. Here a visible change in the histogram shape can beobserved between the plain images and the corresponding transmit-ted image. In Fig. 16.d and h, we can see uniform distributions of thegray level values among the pixel coordinates of the transmittedimage, while for the original images, Fig. 16.c and g, their peaks of graylevel values which signify some shapes or objects are present.

From Eq. (28) we get high entropy values of 1st order and 2ndorder over the transmitted scrambled images, while using theproposed schemes for Paillier and RSA. The information redundancyr for the scrambled image, involving the Paillier scheme over 1st orderentropy is 0.01 and that for 2nd order entropy is 0.20 which arenegligible as compared to those for the original image, i.e. 0.72 and2.65 for 1st and 2nd order respectively. The value of r for scrambledimage, involving RSA-based scheme, over 1st order entropy is 0.00079and over 2nd order entropy is 0.24 as against 0.55 and 3.67 for 1st and2nd order respectively, with the original image.

ED

el block, b) In 2 pixel block, c) In 4 pixel block, d) In 16 pixel block.




Original text:

Inserted Text

"there"

UNCO

RRECTED P

RO

OF

774

775

776

777

778

779

780

781

782

783

Fig. 15 (continued).


We also analyzed the variation of the local standard deviation σ foreach pixel while taking its neighbors into account. The mean localstandard deviation equals 73.86 gray levels for the scrambled image ofFig. 16.b using Paillier-based scheme, whereas the mean localstandard deviation equals 13.38 gray levels for the original Map


image. Similarly, the mean local standard deviation equals 72.60 graylevels for the scrambled image of Fig. 13.a using RSA-based scheme,whereas the mean local standard deviation equals 6.21 gray levels forthe original Lena image. These analyses show that the scrambledimages are protected against statistical attacks.




Original text:

Inserted Text

"analysis "

UNCO

RRECTED P

RO

OF

784

785

786

787

788

789

Fig. 16. a) Original map image, b) Scrambled image from Fig. 8.a for safe transmission of (a) using Paillier, c, d) Histogram of (a) and (b) respectively, e) Original Lena image,f) Scrambled image from Fig. 13.a for safe transmission of (e) using RSA, g, h) Histogram of (e) and (f) respectively.


4.3.2. Correlation of adjacent pixelsVisual data is usually highly correlated i.e. pixel values are highly

probable to repeat in horizontal, vertical and diagonal directions.


Since RSA public-key cryptosystem is not random in nature, it givesthe same results for the same values of the inputs. It means that if animage region is highly correlated or having same values, then the




790

791

792

793

794

795

796

797

798799800801802

803

804

805

806

807

808

809

810

811

812

813

814

815

816

817

818

819

820

821

822

823

824

825

Table 3t3:1

Correlation of horizontal, vertical and diagonal adjacent pixels in two images usingPaillier cryptosystem.

t3:2t3:3 Plain map image Scrambled image

t3:4 Horizontal 0.8287 1.7112×10−4

t3:5 Vertical 0.8529 0.0027t3:6 Diagonal 0.7905 0.0034

Table 4t4:1

Correlation of horizontal, vertical and diagonal adjacent pixels in two images using RSAcryptosystem.

t4:2t4:3 Plain Lena image Scrambled image

t4:4 Horizontal 0.9936 0.00240t4:5 Vertical 0.9731 0.00013t4:6 Diagonal 0.9309 0.00022


public-key encryption will produce the same results, and a cryptan-alyst may have enough clues to the information content related to theoriginal image. An image based cryptosystem is considered robustagainst statistical attacks if it succeeds in providing low correlationbetween the neighboring pixels. The proposed encryption schemegenerates a ciphered image with low correlation among the adjacentpixels. A correlation of a pixel with its neighboring pixel is given byordered pair (xi, yi) where yi is the adjacent pixel of xi:

corr x;yð Þ =1

M−1∑n

0

xi − xiσx

� �yi − yiσy

!; ð32Þ

UNCO

RRECT

Fig. 17. Key sensitivity test: a) Encrypted image w

Fig. 18. a) Image encrypted with K1 and decr


where M represents the total number of tuples (xi, yi), xi and yirepresents their respective means and σx and σy represent theirrespective standard deviations.

In Table 3, we can see correlation values of original map image andthe transmitted scrambled image using Paillier cryptosystem. Herethe correlation coefficients in horizontal, vertical and diagonaldirections are higher in plain map image while these values arevery small in the encrypted images. Similarly, in Table 4, we can seecorrelation values of Lena image and the corresponding transmittedscrambled image using RSA cryptosystem. It can be noticed from thesetables that the proposed schemes minimize the correlation co-efficients in horizontal, vertical and diagonal directions.

PRO

OF4.3.3. Key sensitivity test

Robustness of a cryptosystem can be improved if it is made highlysensitive towards the key. The more sensitive the visual data to thekey, more would be the data randomness higher the value of theentropy, leading and hence to lower visual correlation among thepixels of the image. For this purpose, a key sensitivity test wasconceivedwhere we picked one key, K1, of 512 bits and then apply theproposed techniques for encryption, followed by a one bit change inthe length of the key i.e. K2 of 511 bits and then re-apply the proposedencryption techniques. Numerical results show that the proposedapproach is highly sensitive towards the key change i.e. a totallydifferent version of scrambled image was produced when the keyswere changed, as shown in Fig. 17, which is an example of using RSA-based scheme. The correlation between the two encrypted imageswhich are produced by applying the proposed approach, with two

ED

ith key, K1, b) Encrypted image with key, K2.

ypted with K2, b) Reconstructed image.




826

827

828

829

830

831

832

833

834

835

836

837

838

839

840

841

842

843

844

845

846

847

848

849

850

851

852

853

854

855

856

857

858859860861862863864865

900


different keys K1 and K2, is given by 0.118 for RSA-based scheme and0.0952 for Paillier-based scheme, which means there is negligibleamount of correlation among the pixels of the ciphered imagesproduced with different keys. Also, if we encrypt an image with onekey (K1) and decrypt with another key (K2) and then apply theproposed scheme for the reconstruction of the original image, wecannot get the original image. This observation over the RSA-basedscheme can be deduced from Fig. 18.

866867868869870871872873874875876877878879880881882883884885886887888889890 Q2891892893894895896897898899

5. Conclusions

In this paper, we proposed a method for sharing a secret imageusing key-images by exploiting the additive homomorphic propertyof Paillier cryptosystem and the multiplicative homomorphic prop-erty of RSA cryptosystem. The proposed method is analogous to theVSS scheme but here we took a number of different key-images andthen exploited the homomorphic property of public key cryptosys-tems to devise a protocol where a scrambled secret image is formed.Of the two schemes employed, i.e. Paillier and RSA, it has been shownthat the extracted image from additive homomorphic Pailliercryptosystem observes no change. On the other hand, in theapplication of the RSA, which is multiplicative homomorphic, caremust be taken while selecting the size of the pixel blocks forencryption, in order to avoid prime multiplicity problem. We showedthat the extraction of the original secret image, involving the RSAalgorithm, is possible if a block size of more than 4×4 is used wherebythe probability of noisy pixels approaches 0. The advantages of theproposed approach are the low computational cost at the extractionprocess, limiting of the dealer's intervention in the secret sharingprocess and no increase in the size of shared scrambled image.We canuse the proposed scheme in various applications on any public keycryptosystem that satisfies the desired additive or multiplicativehomomorphic property.

UNCO

RRECT


ED P

RO

OF

References

[1] B. Schneier, Applied Cryptography, Wiley, New-York, USA, 1995.[2] I. Cox, M. Miller, J. Bloom, J. Fridrich, T. Kalker, Digital Watermarking and

Steganography, Morgan Kaufmann, 2008.[3] D. Rappe, Homomorphic Cryptosystems and their Applications, Cryptology ePrint

Archive, Report 2006/001, 2006.[4] M. Kuribayashi, H. Tanaka, IEEE Transactions on Image Processing 14 (12) (2005)

2129.[5] M.V. Droogenbroeck, R. Benedett, Proc. of Advanced Concepts for Intelligent

Vision Systems (ACIVS) 2002, Ghent, Belgium, Sept. 2002, p. 90.[6] A. Alattar, G. Al-Regib, S. Al-Semari, Proc. IEEE Int. Conf. on Image Processing,

vol. 4, 1999, p. 256.[7] H. Cheng, X. Li, IEEE Transactions on Signal Processing 48 (8) (Aug. 2000) 2439.[8] A. Shamir, Communications of the ACM 22 (11) (1979) 612.[9] M. Naor, A. Shamir, Visual Cryptography, Springer-Verlag, 1995.

[10] P. Paillier, Public-Key Cryptosystems Based on Composite Degree ResidousityClasses, 1592, Springer-Verlag, 1999, p. 223.

[11] A. Uhl, A. Pommer, Image and Video Encryption: From Digital Rights Managementto Secured Personal Communication, Springer, 2005.

[12] E. Gamal, IEEE Transactions on Information Theory (1985) 469.[13] C. Fontaine, F. Galand, EURASIP Journal on Information Security 2007 (1) (2007) 1.[14] J. Borie, W. Puech, M. Dumas, ICDIA 2002, Diagnostic Imaging and Analysis,

Shanghai, R.P. China, Aug. 2002, p. 250.[15] C. Fu, Z.-C. Zhang, Y. Chen, X.-W. Wang, An Improved Chaos-Based Image

Encryption Scheme, ICCS ’07: Proceedings of the 7th international conference onComputational Science, Part I, 2007, p. 575.

[16] J. Hu, F. Han, Journal of Network and Computer Applications 32 (4) (2009) 788.[17] J. Giesl, K. Vlcek, ICGST International Journal on Graphics, Vision and Image

Processing, GVIP 09 (2009) 19.[18] S.R.M. Prasanna, Y.V.S. Rao, A. Mitra, International Journal of Computer Vision 1

(2) (2006) 132.[19] G. Ateniese, C. Blundo, A. D. Santis, D. R. Stinson, Visual cryptography for general

access structures, Electronic Colloquium on Computational Complexity (ECCC) 3(12).

[20] S. Droste, CRYPTO ’96: Proceedings of the 16th Annual International CryptologyConference on Advances in Cryptology, Springer-Verlag, London, UK, 1996, p. 401.

[21] Á.M. del Rey, G.R. Sánchez, IWANN (1), Vol. 5517 of Lecture Notes in ComputerScience, Springer, 2009, p. 1200.

[22] M. Iwamoto, L. Wang, K. Yoneyama, N. Kunihiro, K. Ohta, IEICE Transactions 89-A(5) (2006) 1382.

[23] M. Iwamoto, H. Yamamoto, H. Ogawa, IEICE Transactions 90-A (1) (2007) 101.[24] S. Cimato, R.D. Prisco, A.D. Santis, Theoretical Computer Science 374 (1–3) (2007)

261.




Original text:

Inserted Text

"a "

Original text:

Inserted Text

"’"

application of homomorphism to secure image sharing

Documents